LDAP passwordPolicyRequest failes with MD5 password hashing
Joe Friedeggs
friedeggs44 at hotmail.com
Fri Oct 30 01:20:14 UTC 2009
PAM gurus,
I am seeing some strange issues when I attempt to use MD5 password hashing from my Red Hat Linux servers. I am running OpenLDAP client (openldap-clients.2.3.43-3) with PAM (pam-0.99.6.2-6) on RHel5, and using the ppolicy overlay in the OpenLDAP server.
I have the following:
In /etc/ldap.conf:
pam_password md5
pam_lookup_policy yes
In /etc/pam.d/system-auth:
password requisite /lib/security/$ISA/pam_cracklib.so retry=3 lcredit=-1 ucredit=-1 dcredit=-1 type=LDAP
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
password sufficient /lib/security/$ISA/pam_ldap.so use_authtok
(Note: I've tried added the 'md5' to the pam_ldap.so line as well, no help).
Here's the problem:
With this configuration, I NEVER see the client send the passwordPolicyRequest Request Control message (controlType 1.3.6.1.4.1.42.2.27.8.5.1) in any LDAP request, thus the LDAP server never returns the password status (expired, etc.). I've also noticed that the password in LDAP shows something like "{crypt}Fe9RyjhrMaom.". So, as far as the users are concerned, their passwords never expire.
IF I change to use 'crypt' (or clear-text) instead of MD5, I see the Request Control in the LDAP bind from the Linux LDAP client, and password expiry notification works fine.
OR, IF I change the password in LDAP manually to MD5 (using ldapadmin tool), where it shows something like "{MD5}rFyeI1Li1xieh1hj2lRvRw==", the Request Control is sent from the client.
Any ideas? Is this a known bug?
Thanks,
Joe
_________________________________________________________________
Windows 7: I wanted more reliable, now it's more reliable. Wow!
http://microsoft.com/windows/windows-7/default-ga.aspx?h=myidea?ocid=PID24727::T:WLMTAGL:ON:WL:en-US:WWL_WIN_myidea:102009
More information about the Pam-list
mailing list